Re: archivers/xz: update to 5.6.1

2024-03-29 Thread Jesse Darrone 
Thanks, Christian!

On Fri, Mar 29, 2024 at 4:35 PM Christian Weisgerber 
wrote:

> Jesse Darrone:
>
> > I hate to raise the alarm, but it looks like this should be scrutinized.
> >
> > It sounds like a backdoor made it into the upstream repository:
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> Yes, I just learned.  I am investigating.
>
> FWIW, I did look over the complete 5.4.5 -> 5.6.1 diff as part of
> my regular update procedure, but didn't catch this in the 144028-line
> diff.
>
> --
> Christian "naddy" Weisgerber  na...@mips.inka.de
>

Re: archivers/xz: update to 5.6.1

2024-03-29 Thread Jesse Darrone 
Hello,

I hate to raise the alarm, but it looks like this should be scrutinized.

It sounds like a backdoor made it into the upstream repository:
https://www.openwall.com/lists/oss-security/2024/03/29/4


On Mon, Mar 18, 2024 at 4:15 AM Christian Weisgerber 
wrote:

> archivers/xz: update to 5.6.1
>
> * Multithreaded mode is now the default.
> * New command line options to set filter chains using the liblzma filter
>   string syntax.
> * Significant speed optimizations to the LZMA decoder.
>
>
> I have added runtime detection code to check for CRC32 instructions
> to speed up CRC32 integrity checks on arm64.  I intend to submit
> this upstream, so if anybody has comments on that, let me know.
> (xz defaults to CRC64 anyway, so this has little practical value,
> but it is supported on other operating systems.)
>
> Upstream has added pledge() support to xzdec, rendering our previous
> patch obsolete.
>
> ok?
>
>
> diff d65615b6802f8ddeb4536c340034d07be3df3483
> 41fabc9987fb853589f2dd0de774d8f5cdbd0b69
> commit - d65615b6802f8ddeb4536c340034d07be3df3483
> commit + 41fabc9987fb853589f2dd0de774d8f5cdbd0b69
> blob - d1f7ac3fc25e3152944c4efae9a179e35ab504dc
> blob + 40addd5d055828107dd9fdb477184ffa605b5fd1
> --- archivers/xz/Makefile
> +++ archivers/xz/Makefile
> @@ -1,18 +1,19 @@
>  COMMENT=   library and tools for XZ and LZMA compressed files
>
> -DISTNAME=  xz-5.4.5
> -SHARED_LIBS=   lzma 2.2  # 9.4
> +VERSION=   5.6.1
> +DISTNAME=  xz-${VERSION}
> +SHARED_LIBS=   lzma 2.3  # 11.1
>  CATEGORIES=archivers
>  DPB_PROPERTIES=parallel
>
> -HOMEPAGE=  https://tukaani.org/xz/
> +HOMEPAGE=  https://xz.tukaani.org/xz-utils/
>
>  MAINTAINER=Christian Weisgerber 
>
>  # GPLv2+
>  PERMIT_PACKAGE=Yes
>
> -SITES= ${SITE_SOURCEFORGE:=lzmautils/}
> +SITES=
> https://github.com/tukaani-project/xz/releases/download/v${VERSION}/
>
>  # uses pledge()
>  WANTLIB=   c pthread
> blob - 98b88e2abbfec958489da8fba87fb00df54b8532
> blob + 83ae5ae9b49b503f0bcb1672db69e161dbb814b0
> --- archivers/xz/distinfo
> +++ archivers/xz/distinfo
> @@ -1,2 +1,2 @@
> -SHA256 (xz-5.4.5.tar.gz) = E1yQuTSu6PvA1Gfeh6Bctw1ifaNqvlGMNXqHNwnlt9Y=
> -SIZE (xz-5.4.5.tar.gz) = 2884510
> +SHA256 (xz-5.6.1.tar.gz) = I5j0qOUzRTJfRL3Z8Mx0Ab2QJdc2xtQ7Ny9N6ne/dbg=
> +SIZE (xz-5.6.1.tar.gz) = 3045434
> blob - 6061c7f3c22f7e992a2b66ff5cd7082eb1ffd5c8 (mode 644)
> blob + /dev/null
> --- archivers/xz/patches/patch-config_h_in
> +++ /dev/null
> @@ -1,16 +0,0 @@
> -Index: config.h.in
>  config.h.in.orig
> -+++ config.h.in
> -@@ -409,7 +409,11 @@
> -
> - /* Define to 1 if the system supports fast unaligned access to 16-bit,
> 32-bit,
> -and 64-bit integers. */
> --#undef TUKLIB_FAST_UNALIGNED_ACCESS
> -+#include 
> -+#if !defined(__STRICT_ALIGNMENT)
> -+#define \
> -+TUKLIB_FAST_UNALIGNED_ACCESS 1
> -+#endif
> -
> - /* Define to 1 if the amount of physical memory can be detected with
> -_system_configuration.physmem. */
> blob - /dev/null
> blob + a4b473567a4e085aa4ae0b4af893e51eed1e2014 (mode 644)
> --- /dev/null
> +++ archivers/xz/patches/patch-src_liblzma_check_crc32_arm64_h
> @@ -0,0 +1,30 @@
> +Index: src/liblzma/check/crc32_arm64.h
> +--- src/liblzma/check/crc32_arm64.h.orig
>  src/liblzma/check/crc32_arm64.h
> +@@ -28,6 +28,11 @@
> + # include 
> + # elif defined(__APPLE__) && defined(HAVE_SYSCTLBYNAME)
> + # include 
> ++# elif defined(__OpenBSD__)
> ++# include 
> ++# include 
> ++# include 
> ++# include 
> + # endif
> + #endif
> +
> +@@ -103,6 +108,14 @@ is_arch_extension_supported(void)
> +   , NULL, 0);
> +
> +   return !err && has_crc32;
> ++
> ++#elif defined(__OpenBSD__)
> ++  const int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
> ++  uint64_t isar0;
> ++  size_t len = sizeof(isar0);
> ++
> ++  return sysctl(isar0_mib, 2, , , NULL, 0) != -1 &&
> ++  ID_AA64ISAR0_CRC32(isar0) >= ID_AA64ISAR0_CRC32_BASE;
> +
> + #else
> +   // If a runtime detection method cannot be found, then this must
> blob - 399cb3be7c7e9134963d36b0858d09da5dc0e3ff (mode 644)
> blob + /dev/null
> --- archivers/xz/patches/patch-src_xzdec_xzdec_c
> +++ /dev/null
> @@ -1,21 +0,0 @@
> -Index: src/xzdec/xzdec.c
>  src/xzdec/xzdec.c.orig
> -+++ src/xzdec/xzdec.c
> -@@ -295,9 +295,17 @@ main(int argc, char **argv)
> -
> -   if (optind == argc) {
> -   // No filenames given, decode from stdin.
> -+  if (pledge("stdio", NULL) == -1) {
> -+  my_errorf("pledge");
> -+  exit(EXIT_FAILURE);
> -+  }
> -   uncompress(, stdin, "(stdin)");
> -   } else {
> -   // Loop through the filenames given on the command line.
> -+  if (pledge("stdio rpath", NULL) == -1) {
> -+  my_errorf("pledge");
> -+